How a single apex domain, dozens of brand-themed hostnames, smishing, and public Telegram recruitment fit together in one identity-focused pipeline, and what still belongs in the “open questions” column.
Last time on part 1 we made a deep dive into the overal campaign infrastructure operation revealing multiple indicators and targeted groups. This time Ia am going to focus on the findings related to the odd one, referering to the unique phishing page, I uncovered during the investigation...
Massive campaign targets over 27,000+ emails across across 14,000 domains from corporate and education. A threat actor by the name of "Armandabors" on github initially made a commit to github to update the massive list of emails used for one of the phihing domains.
